Xen project Mailing List

[PATCH v4 1/4] x86: Reject CPU policies with vendors other than the host's

From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>

Date: Wed, 11 Mar 2026 15:27:04 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=lists.xenproject.org smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=q+p7cae+ArZ+PDM9loA7Pfn9Yv4gwr3gdHU7guinMic=; b=AxoXF82wcKEQVLP9sB/SambvAJz8oL9Ji9UVAmPzG+gQV3FiAnf6pw6JGxNiEOOwlqpD0+AtD/3jT8bEJ4oqMhCKCY1/KT41Cwsy5HOuru/yRZO+44reBEG34MJo0s0cxQRW7QJkyH+Dtd76MbX3zoYX1PLVL36MuUYOMD0+BANd9MBIctiBBbiTHW9CG/qe42HIAGhvZC723fvxO8L4hQFfQ3bceGs+ftyQeEsPyqmtrVzowQIMpqvg+3jac2OnLNx8MEpos6ggddo1CwsRDYoqLbv4lu5wadvadPTDV0DtGKD3zjLw+LYvwS/BLrjob8S58NWEnaQNW549XLjZpA==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=DDgl4UencWUze2cMf+q9tdLeEE284uV5j0+TBDbOCRbbOIZTrKCotMTdGkAD/Ys7Yo5Z8ZHBHvJ0vcZiodNUzQ8fd0wgK1Zu0P8z4hgrmGVUxJZluQF6RGsjWbY6/HvaY+1/Nm54tsejcM66EXn9QH75zDdulMOLjZnrI6a0wATSPWILHk7XogjD7cdM+0d77ENvii1CGoqCLBjfwH7yUYz9XTIQBqLlZPzHr0eDyil5AOZ0XQjzK4isjF6/Hvgo9Lml070rLhO9fN9DEJZTkkPj9x1a5BI3iiex3BQj7v/HpHbOxXfdUA+jBEMfgpVAzlJlUP1ZUjgsbumCTU+u5A==

Cc: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>, Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>, Community Manager <community.manager@xxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>

Delivery-date: Wed, 11 Mar 2026 14:27:40 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

While in principle it's possible to have a vendor virtualising another, this is fairly tricky in practice and comes with the world's supply of security issues. Reject any CPU policy with vendors not matching the host's. Signed-off-by: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx> --- v4: * Adjusted CHANGELOG --- CHANGELOG.md | 5 +++++ tools/tests/cpu-policy/test-cpu-policy.c | 27 ++++++++++++++++++++++++ xen/arch/x86/lib/cpu-policy/policy.c | 5 ++++- 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c191e504aba..90ba5da69e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Xenoprofile support. Oprofile themselves removed support for Xen in 2014 prior to the version 1.0 release, and there has been no development since before then in Xen. + - Domains can no longer run on a system with CPUs of a vendor different from + the one they were initially launched on. This affects live migrations and + save/restore workflows across mixed-vendor hosts. Cross-vendor emulation + has always been unreliable, but since 2017 with the advent of speculation + security it became unsustainably so. - Removed xenpm tool on non-x86 platforms as it doesn't actually provide anything useful outside of x86. diff --git a/tools/tests/cpu-policy/test-cpu-policy.c b/tools/tests/cpu-policy/test-cpu-policy.c index 301df2c0028..88a9a26e8f1 100644 --- a/tools/tests/cpu-policy/test-cpu-policy.c +++ b/tools/tests/cpu-policy/test-cpu-policy.c @@ -586,6 +586,19 @@ static void test_is_compatible_success(void) .platform_info.cpuid_faulting = true, }, }, + { + .name = "Host CPU vendor == Guest CPU vendor (both unknown)", + .host = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .guest = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + }, }; struct cpu_policy_errors no_errors = INIT_CPU_POLICY_ERRORS; @@ -629,6 +642,20 @@ static void test_is_compatible_failure(void) }, .e = { -1, -1, 0xce }, }, + { + .name = "Host CPU vendor != Guest CPU vendor (both unknown)", + .host = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 1, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .guest = { + .basic.vendor_ebx = X86_VENDOR_AMD_EBX + 2, + .basic.vendor_ecx = X86_VENDOR_AMD_ECX, + .basic.vendor_edx = X86_VENDOR_AMD_EDX, + }, + .e = { 0, -1, -1 }, + }, }; printf("Testing policy compatibility failure:\n"); diff --git a/xen/arch/x86/lib/cpu-policy/policy.c b/xen/arch/x86/lib/cpu-policy/policy.c index f033d22785b..f991b1f3a96 100644 --- a/xen/arch/x86/lib/cpu-policy/policy.c +++ b/xen/arch/x86/lib/cpu-policy/policy.c @@ -15,7 +15,10 @@ int x86_cpu_policies_are_compatible(const struct cpu_policy *host, #define FAIL_MSR(m) \ do { e.msr = (m); goto out; } while ( 0 ) - if ( guest->basic.max_leaf > host->basic.max_leaf ) + if ( (guest->basic.vendor_ebx != host->basic.vendor_ebx) || + (guest->basic.vendor_ecx != host->basic.vendor_ecx) || + (guest->basic.vendor_edx != host->basic.vendor_edx) || + (guest->basic.max_leaf > host->basic.max_leaf) ) FAIL_CPUID(0, NA); if ( guest->feat.max_subleaf > host->feat.max_subleaf ) -- 2.43.0

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.